Bob*_*Bob 10 security android android-studio
在我的BroadcastReceiver之后:
public class MyBroadcastReceiver extends BroadcastReceiver {
@Override
public void onReceive(Context context, Intent intent) {
// my code
}
}
它在AndroidManifest中注册:
<uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED" />
<receiver android:enabled="true"
android:name=".MyBroadcastReceiver">
<intent-filter>
<action android:name="android.intent.action.DATE_CHANGED" />
<action android:name="android.intent.action.BOOT_COMPLETED"/>
</intent-filter>
</receiver>
linter在MyBroadcastReceiver的onReceive方法中报告以下错误:
此广播接收器声明了受保护广播操作字符串的intent-filter,该字符串只能由系统发送,而不能由第三方应用程序发送.但是,接收者的onReceive方法似乎不会调用getAction来确保收到的Intent的操作字符串与期望值匹配,这可能使另一个actor可以发送一个没有操作字符串或不同操作字符串的欺骗意图并导致不良行为.声明受保护广播操作字符串的intent-filter的BroadcastReceivers必须检查接收到的intent的操作字符串是否与期望值匹配,否则恶意actor可能会欺骗意图.
问题ID:UnsafeProtectedBroadcastReceiver
如何修复UnsafeProtectedBroadcastReceiver?
The*_*rer 16
过滤动作,就像它说的那样:
public class MyBroadcastReceiver extends BroadcastReceiver {
@Override
public void onReceive(Context context, Intent intent) {
switch (intent.getAction()) {
case Intent.ACTION_DATE_CHANGED:
//what you want to do
break;
case Intent.ACTION_BOOT_COMPLETED:
//what you want to do
break;
}
}
}
如果你没有检查,任何应用程序只需指定类名就可以在你的Receiver上"调用"BOOT_COMPLETED,因为它会绕过过滤器.
| 归档时间: |
|
| 查看次数: |
1815 次 |
| 最近记录: |